The little-known side of vulnerabilities in open source dependencies of applications blogs.sap.com/2022/08/18/the…

Preventing SAP Customers from Leaking Secrets on Github blogs.sap.com/2022/09/06/pre… #password #leak #github #MachineLearning #CyberSecurity #saplabsfrance #SAP #codescan SAP Labs in France SAP Security

Just today, an article on software supply chain security, written with Wolfram Fischer, got published in the German IT magazine iX. It picks up our works on a taxonomy of supply chain attacks, done together with Piergiorgio Ladisa , @barais and Matias Sebastian Martinez...

[OSS Supply Chain Attacks] Please be careful in installing the package named "mypackage1337" from PyPI. I just discover it contains malicious code which supposedly spawn a reverse shell (inspector.pypi.io/project/mypack…) IOC: http[://]108[.]61[.]251[.]172 The package has been reported

🤩

Santiago Dan Lorenc Luke Hinds John Speed Meyers A few more resources: attack.mitre.org/techniques/T08… github.com/slsa-framework… arxiv.org/abs/2005.09535 arxiv.org/abs/2204.04008 youtube.com/watch?v=00R1JG… haydock.substack.com/p/what-is-a-so…

[Malicious packages in npm] Don't install the packages: - duc.utils.conditional-wrapper - duc.fragments.spinner - duc.utils.conditional-wrapper - duc.components.cardshell - excessively-safe-call - shein-bbl - shein-components They exfiltrate data at installation time

First day at ACM CCS 2025 2022. I’m really excited to attend the event in person and for this great experience. #softwaresecurity #opensource #supplychainattacks #SAP #securityresearch #INRIA #AssureMOSS #SPARTA

Risk Explorer to be presented by Volkmar Lotz at Trustworthy and Secure OSS. swforum.eu/trustworthy-an… Try the tool here: sap.github.io/risk-explorer-… AssureMOSS Piergiorgio Ladisa Henrik Plate

I'm really glad to see that the Risk Explorer (sap.github.io/risk-explorer-…) is now appearing in the latest SAP Open Source Report 2022. Check it out and... beware of imitations! :P

SAP Security Research RiskExplorer for SW supply chains finds in Endor Labs a new adopter and precious contributor.endorlabs.com/blog/exploring… Well done Piergiorgio Ladisa Henrik Plate S. N. Barai and Matias S. Martinez! AssureMOSS SAP Open Source SAP Labs in France #sapsecurityresearch

Don't miss it if you are a PhD student in the field. I'll give a lecture about the state of modern fuzzing with a foot in research and the other in engineering.

Taxonomy of attacks on open-source software supply chain based on 94 real-world incidents. Based on the recent paper by Piergiorgio Ladisa, Henrik Plate, S. N. Barai and Matias S. Martinez. Link: [sap.github.io/risk-explorer-…] #opensource #CyberSecurity #BugBounty

🥉🥈🥇 CSAW'23 Europe: Congratulations to the winners of the Applied Research Competition 1st place: Piergiorgio Ladisa 2nd place: Soheil Khodayari 3rd place: Mikhail Shcherbakov Congratulations to all the finalists for your high quality work!! #csaw #cybersecurity

Today's #ACSAC2023 paper #preview is Ladisa et al.'s work on detecting #malware in #npm and #PyPI packages using a language-independent approach. openconf.org/acsac2023/modu… Piergiorgio Ladisa Serena Elisa Ponta S. N. Barai SAP Inria Université de Rennes

Taxonomy of attacks on open-source software supply chain based on 94 real-world incidents. It is based on the paper by Piergiorgio Ladisa, Henrik Plate, @barais and Matias S. Martinez. Link: [sap.github.io/risk-explorer-…] #applicationsecurity #opensource